[RPZ] RPZ seen at MAAWG

Paul Vixie vixie at isc.org
Sat Oct 9 19:59:55 UTC 2010

> Date: Fri, 8 Oct 2010 12:16:41 -0700
> From: Jeff Chan <jeffc at surbl.org>
> On Wednesday, October 6, 2010, 7:54:31 AM, Eric Ziegast wrote:
> > #### ISC does not publish any RPZ or give perception of publishing

that may change.  i'm thinking of creating an incident-level rpz that lists
only things like licat and conficker names, as a technology demonstration.

> > #### SuperWildcard
> > The limitation of wildcard records could be an issue.  I one lists:
> >    mecom.ae.@ IN A .
> >    *.mecom.ae.@ IN A .
> > How does one take care of www.qatar.mecom.ae without specifically
> > listing *.qatar.mecom.ae in the zone?  Do we need a Super Wildcard
> > capability in zone file specifications that matches all sub-domains?
> > not just the current level?

sorry, hadn't seen this before.  it is indeed the "superwild" you describe,
since it's just dns.  so just as *.vix.com would match www.lah1.vix.com in
a normal dns zone file, so *.mecom.ae matches www.qatar.mecom.ae in an RPZ.

> Actually a super wildcard that included the parent domain would be
> extremely handy.  If it existed, then the example above could be
> collapsed to:
> *.mecom.ae.@ IN A .
> which would halve the size of the zone file.  Vix indirectly
> commented on this privately.

yes i did.  what i finally decided was, most of the time bad domains are
specific, and we don't need to be adding the * pattern, since the bad guys
are not going to evade a foobar.info blockade by using baz.foobar.info.  if
that changes then we can adapt easily.  for now it's a lot of extra patterns
and a lot of more or less wasted ram to include the * patterns we all add.

> I'd bet that Nominum already has a similar functionality, so I'd guess it
> would not be too hard for them to add RPZ support.  In fact, I'd
> recommend they do.


More information about the DNSfirewalls mailing list